Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Custom DNSBL rules or Group Alias [FQDN]

    Scheduled Pinned Locked Moved pfBlockerNG
    7 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      None 0
      last edited by

      Hello,

      I've searched for this, but couldn't find a clear answer, so I would appreciate some help.

      I want to block a list of domains, but only for specified IPs in my network. What's the better way to accomplish that?
      I know that creating an Alias and manually setting all FQDN hosts would made it, but I would like to use lists, since they can be more easily worked with. If that could be done with pfBlockerNG, would be great (:

      Thanks in advance.

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @None 0
        last edited by keyser

        @none-0 In pfSense you can create aliases (group lists) either manually, or by referencing a local text file, or by referencing a textfile on a HTTP URL.

        So if you have a webserver somewhere, place your text file with client IP’s that needs to be blocked, and reference that in a pfSense Alias.

        In pfBlockerNG you then ask it to create a “DENY ALIAS” instead of actually creating automatic block rules. This will result in a similar ALIAS group like you just created from your text file, but this time it contains all the sites/feeds you asked pfBlockerNG to block.

        Then you create your own block rule with your Client Alias list as source, and the pfBlockerNG DENY ALIAS as destination.

        It’s pretty neat actually, as you can fine tune how often pfSense refreshes your Client list alias (Downloads your text file again). This is done in advanced - turnables

        Love the no fuss of using the official appliances :-)

        N 1 Reply Last reply Reply Quote 1
        • N
          None 0 @keyser
          last edited by

          @keyser, but using a list of domains in IPv4 won't really work, right?
          I tried it, but the domains were still accecible, probably because they're using different IP from those pfblockerng created based on the domain list (big sites that use more than 1 IP).
          Or this should work, and I messed something? :p

          keyserK 1 Reply Last reply Reply Quote 0
          • keyserK
            keyser Rebel Alliance @None 0
            last edited by

            @none-0 Uhh, I’m a little confused.. You are not looking to create lists of clients that needs to be blocked, but rather create you own list of domains that clients are banned from reaching?

            If that’s the case then just add your list (text file placed on a webservice) as a feed in a new “DNSBL Group” you create yourself. This will make pfBlockerNG import the list and instruct the Unbound DNS server on pfSense to not resolve those domainnames correctly, but rather block them (like any of the built-in feeds in pfBlockerNG).

            Love the no fuss of using the official appliances :-)

            N 1 Reply Last reply Reply Quote 0
            • N
              None 0 @keyser
              last edited by

              @keyser Yes! Sorry for the confusion.
              I want to use a list of domains to be blocked only on specified clients.
              Just as your example with IPv4, but instead of a list of IPs, I would use a list of domains.

              If I add the list in the DNSBL group, it will block them to all the clients on the interface, right?
              Is there a way to only block the domain list (FQDN) to espeficied ips in my network?

              keyserK 1 Reply Last reply Reply Quote 0
              • keyserK
                keyser Rebel Alliance @None 0
                last edited by

                @none-0 Ahh, now I get where you are going - sorry for the misunderstanding...

                Yeah, having DNSBL block request for domain names in your own list will by default have effect for all clients.

                I believe it is possible to have different "views" (replies) from Unbound DNS depending on which client IP address/range you come from. But it is not at firewall rule setting - it's an advanced setting made in Unbound DNS.

                I have no idea if BBCAN177 has made it possible to use selective Unbound DNS views, based on DNSBL Group lists combined with client source specification.
                Before python mode was the new black, I believe one could create a Unbound View yourself, which made some clients see DNS with pfBlockerNG lists included - others just saw regular open DNS.

                But I can't help you here as I have never tried it.

                Perhaps a search here for "Unbound View" can come up with something.

                Love the no fuss of using the official appliances :-)

                N 1 Reply Last reply Reply Quote 1
                • N
                  None 0 @keyser
                  last edited by

                  Alright, thanks for the help, @keyser!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.